Computer networks are subject to a variety of security breaches. One such type of breach occurs when a user or computer system falsely identifies itself, in order to access resources that it is not authorized to access, or to otherwise avoid being correctly associated with a request. To facilitate request authentication, a request for service to a party providing a resource or service, hereinafter referred to as a “relying party,” includes the identity of the requester in a manner such that the relying party can verify the authenticity of the identity. Request authentication is the process of verifying the identity of the sender of a request. Authentication provides some level of security that each party's identification is accurate. The identity of the requester forms the basis for access control decisions made by the relying party.
One type of request authentication includes the use of a username and password. A stronger type of authentication involves the use of a security token. Some types of security tokens are issued by a trusted identity provider. Possession of a security token serves to provide proof of identity for the possessing party. Some security tokens have embedded cryptographic keys for stronger security.
In one type of interaction, a requester acquires a security token from an identity provider. The requester then presents the security token with a service request to a party providing a resource or service. The resource provider has a trust relationship with the identity provider that serves as assurance of the authenticity of the security token.
Representational state transfer (REST) is a style of software architecture for distributed systems such as the World Wide Web. REST generally refers to an interface that transmits domain-specific data over HTTP without an additional messaging layer such as SOAP. HTTP provides an interface including methods, such as GET, POST, UPDATE, and DELETE, that conform to a “RESTful” architecture. One aspect of the REST architecture is the support of stateless servers, in which each message includes the information necessary to understand the message, freeing a server from needing to remember communication state between messages. This facilitates scaling of servers, such as in a server farm.
RFC 2617, available at <<http://www.ietf.org/rfc/rfc2617.txt>>, describes a BASIC authentication scheme in which a username and password may be passed in an HTTP header field. The RFC describes this scheme as “not considered to be a secure method of user authentication, as the user name and password are passed over the network in an unencrypted form.” The RFC also describes a “Digest Access Authentication” scheme, in which a hash of a username, password, a nonce value, the HTTP method, and the requested URI is used. The RFC states that the digest scheme “ . . . suffers from many known limitations.”